HybridstatePetrinetswhichhavetheanalysispower ofstochastichybridsystemsandtheformalvericationpowerofautomata 231 Compositional specification Automata theory Probabilistic analysis Stochastic analysis SDCPN HSDE GSHS GSHP [C] [E] [B1] [C] [B2] [E] Fig. 2. Relationship between SDCPN, GSHS, GSHP and HSDE, and their key properties and advantages. The [B1] arrow is established in (Blom, 2003). The [B2] arrow is established in (Bujorianu & Lygeros, 2006). The [E] arrows are established in (Everdij & Blom, 2006). The [C] arrows are established in the current chapter, with bisimilarity relations having two- directional arrows. 2. SDCPN This section presents a definition of stochastically and dynamically coloured Petri net (SDCPN). Definition 2.1 (Stochastically and dynamically coloured Petri net). An SDCPN is a collection of elements (P, T , A, N, S, C, I, V, W, G, D, F), together with an SDCPN execution prescription which makes use of a sequence {U i ; i = 0, 1, . . .} of independent uniform U[0, 1] random variables, of independent sequences of mutually independent standard Brownian motions {B i,P t ; i = 1, 2, . . .} of appropriate dimensions, one sequence for each place P, and of five rules R0–R4 that solve enabling conflicts. The formal SDCPN definition p rovid ed below is o rganised as follows: Section 2.1 defines the SDCPN elements ( P, T , A, N , S, C, I, V, W, G, D, F). Section 2.2 exp lains the SDCPN execution, which makes use of the rules R0–R4. Section 2.3 explains how the SDCPN execution defines a unique stochastic process. 2.1 SDCPN elements The SDCPN elements (P, T , A, N , S, C, I, V, W, G, D, F) are defined as foll ows: • P is a finite set of places. • T is a finite set of transitions which consists of 1) a se t T G of guard transitions, 2) a set T D of delay transitions and 3) a set T I of immediate transitions. • A is a finite s et of arcs which consists of 1) a set A O of ordinary arcs, 2) a set A E of enabling arcs and 3) a set A I of inhibitor arcs. • N : A → P × T ∪ T × P is a node function which maps each arc A ∈ A to a pair of ordered nodes N (A), where a node is a place or a tr ansition 1 . The place of N (A) is denoted by P(A), the transition of N (A) is d enoted by T(A), such that f or all A ∈ A E ∪ A I : N (A) = (P(A), T(A )) and for all A ∈ A O : either N (A) = ( P(A), T(A)) or N (A) = (T(A), P(A)). Further notation: – A (T) = {A ∈ A | T(A) = T} denotes the set of arcs connected to transition T, A in (T) = {A ∈ A(T) | N (A) = (P(A), T)} is the set of input arcs of T, A out (T) = {A ∈ A(T) | N (A) = (T, P(A))} is the set of output arcs of T, A in,O (T) = A in (T) ∩ A O is the set of ordinary input arcs of T, A in,OE (T) = A in (T) ∩ {A E ∪ A O } is the set of input arcs of T that are either ordi- nary or enabling, and – P (A ⊂ ) = {P(A); A ∈ A ⊂ } is the multi-set of places connected to the subset of arcs A ⊂ ⊂ A. Finally, {A i ∈ A I | ∃A ∈ A, A = A i : N (A) = N (A i )} = ∅, i.e., if an inhibitor arc points from a place P to a transition T, there is no other arc from P to T. • S ⊂ {R 0 , R 1 , R 2 , . . .} is a finite set of colour types, with R 0  ∅. • C : P → S is a colour type function which maps each place P ∈ P to a specific colour type in S. Each token in P is to have a colour in C(P). Since C(P) ∈ {R 0 , R 1 , . . .}, there exists a function n : P → N such that C(P) = R n(P) . If C( P) = R 0  ∅ then a token in P has no colour. Further notation: if P (A ⊂ ) contains more than one place, e.g., P (A ⊂ ) = {P i 1 , . . . , P i k }, then C(P(A ⊂ )) is defined by C(P i 1 ) × · · · × C(P i k ). • I : N |P| × C(P) N → [0, 1] is a probability measure, which defines the initial marking of the net: for each place it defines a number ≥ 0 of tokens initially in it and it defines their initial colours. Here, N |P|  {(m 1 , . . . , m |P| ); m i ∈ N, m i < ∞, i = 1, . . . , |P|} and C(P) N  {C(P 1 ) m 1 × · · · × C(P |P| ) m |P | ; m i ∈ N, m i < ∞, i = 1, . . . , |P|}, where C(P i ) m i  R m i n(P i ) for all i = 1, . . . , |P|, where P is denoted P = {P 1 , . . . P |P| }. It is assumed that all tokens in a place are distinguishable by a unique identification tag which tr anslates to a unique o rde ring/listing of tokens per place. • V = {V P ; P ∈ P, C(P) = R 0 } is a set of token colour functions. For e ach place P ∈ P for which C(P) = R 0 , it contains a function V P : C(P) → C(P) that defines the drift coefficient of a differential equation for the colour o f a token in place P. • W = {W P ; P ∈ P, C(P) = R 0 } is a set of token colour matrix functions. For each place P ∈ P for which C(P) = R 0 , it contains a measur able mapping W P : C(P) → R n(P)×h(P) that defines the diffusion coefficient of a stochastic differential equation for the colour of a token in place P, where h : P → N. It is assumed that W P and V P satisfy conditions that ensure a probabilistically unique solution of each stochastic differential equation. 2 1 The SDCPN arcs have no arc weights, but this node function de fi nition leaves the freedom to define multiple arcs between t he same pair of transition and place or place and transition (except if an inhibitor arc is involved). 2 In the earlier definition by (Everdij & Blom, 2006) it was assumed that V P and W P satisfy local Lipschitz condition. This condition has now been relaxed to probabilistic uniqueness of solution of the related stochastic differential equation(s). PetriNets:Applications232 • G = {G T ; T ∈ T G } is a set of tr ansition guards. For each T ∈ T G , it contains a tran- sition guard G T , which is an open subset in C(P(A in,OE (T))) with boundary ∂G T . If C(P(A in,OE (T))) = R 0 then ∂G T = ∅. 3 There is no requirement that G T be connected. • D = {D T ; T ∈ T D } is a set of transition delay rates. For each T ∈ T D , it contains a locally integrable transition delay rate D T : C(P(A in,OE (T))) → R + . If C(P(A in,OE (T))) = R 0 then D T is a constant function. 4 • F = {F T ; T ∈ T } is a set of firing measures. For each T ∈ T , it contains a firing measure F T : ({0, 1} |A out (T)| × C(P(A out (T)))) × C(P(A in,OE (T))) → [0, 1], which gen- erates the number and colours of the tokens produced when transition T fires, given the value of the vector ∈ C(P(A in,OE (T))) that collects all input tokens: For each o utput arc ( ∈ A out (T)), zero or one token is p rod uced, and if the colours of the tokens produced are collected in a vector, this vector is ∈ C(P(A out (T))). For each fixed H ⊂ C(P(A out (T))), F T (H; ·) is measurable. For any c ∈ C(P(A in,OE (T))), F T (·; c) is a probability measure. Here, {0, 1} |A out (T)|  {(e 1 , . . . , e |A out (T)| ); e i ∈ {0, 1}, i = 1, . . . , |A out (T)|}. For the places, transitions and arcs, the graphical notation is as i n Figure 3. Place Guard transition G Delay transition D Immediate transition I Ordinary arc Enabling arc Inhibitor arc Fig. 3. Graphical notation for places, transitions and arcs in an SDCPN 2.2 SDCPN execution The execution of an SDCPN provides a series of increasing stopping times, 0 = τ 0 < τ 1 < τ 2 < · · · , with for t ∈ (τ k , τ k+1 ) a fixed number of tokens per place and per token a co lour which is the solution of a stochastic differential equation. It uses a sequence {U i ; i = 0, 1, . . .} of inde p endent uniform U[0, 1] random variables, and independent sequences of mutually independent standard Brownian motions {B i,P t ; i = 1, 2, . . .} of appropriate dimensions, one sequence for each place P. Initiation The probability measure I characterises an initial marking at τ 0 , i. e. it gives each place P ∈ P zero or more tokens and gives each token in P a colour in C(P), i.e. a Euclidean-valued vector. Define the inverse of I by a measurable function I inv : [0, 1] → N |P| × C(P) N such that µ L {u | I inv (u) ∈ H} = I(H), for H Borel measurable and µ L the Lebesgue measure. Then the initial marking is a hybrid random vector characterised by (M 0 , C 0 ) = I inv (U 0 ). Here, M 0 is a |P|-dimensional vector of non-negative integers, the ith component M i,0 of which denotes 3 In earlier SDCPN definitions, the transition guard was d efined as a Boolean function that evaluated to True if the boundary of an open subset was hit by the inp ut token colours. Without losing generality, the transition guard is now defined to be the open subset itself. 4 In earlier SDCPN definitions, the transition delay was defined as a probability distribution function that made use of an integrable transition delay rate. Without losing generality, the transition delay is now defined to be the delay rate itself. the number of tokens initially in place P i , i = 1, . . . |P|, and C 0 is a ∑ |P| i=1 M i,0 n(P i )-dimensional Euclidean-valued random vector which provides the colours of the initial tokens. If M 1,0 ≥ 1 then the first n (P 1 ) components of C 0 are assigned to the first tok en in P 1 . If M 1,0 ≥ 2 then the next n (P 1 ) components of C 0 are assigned to the second token in P 1 , etc., until all tokens i n P 1 have their assigned colour. The following components of C 0 are assigned to tokens in places P 2 , . . . , P |P| in the same way. If C(P) = R 0 then the tokens in P get no colour. Token colour evolution For each token in each p lace P for which C(P) = R 0 : if the co lour of this token is equal to C P 0 at time t = τ 0 , and if this tok en is still in this place at time t > τ 0 , then the colour C P t of this token eq uals the probabilistically unique solution of the stochastic differential eq uation dC P t = V P (C P t )dt + W P (C P t )dB i,P t with initial condition C P τ 0 = C P 0 , and with {B i,P t } an h(P) - dimensional standard Brownian motion. The first token, if any, in place P uses Brownian motion {B 1,P t }; the second token, if any, uses {B 2,P t }, etc. Each token in a place for which C(P) = R 0 remains without colour. Transition enabling A transition T is pre-enabled if it has at least one token per incoming ordinary and enabling arc in each of its input places and has no token in places to which it is connected by an inhibitor arc. For each transition T that is pre-enabled at τ 0 , consider one token per ordinary and en- abling arc in its input places and write C T t ∈ C(P(A in,OE (T))), t ≥ τ 0 , as the column vector containing the colours of these tokens; C T t evolves through time according to its correspond- ing token colour functions of the places in P (A in,OE (T)). If this vector is not unique (i.e., if one input place contains several tokens per arc), all possible such vectors are executed in p ar all el. Hence, a transition can be pre-enabled by multiple combinations of input toke ns in parallel. A transition T is enabled if it is pre-e nabled and a second requirement holds true. For T ∈ T I , the second requirement automatically holds true at the time of pre-enabling. For T ∈ T G , the second requirement holds true when C T t ∈ ∂G T . For T ∈ T D , the second requirement holds true at t = τ 0 + σ T 1 , where σ T 1 is generated from a probability distribution function D T (t − τ 0 ) = 1 − exp(−  t τ 0 D T (C T s )ds), i.e. σ T 1 = D inv T (U), where D inv T is the inverse of D T (t − τ 0 ) defined by D inv T (u) = inf{t − τ 0 | exp(−  t τ 0 D T (C T s )ds) ≤ u}, with inf{ } = +∞. Each delay transition uses one new uniform random variable U ∼ U[0, 1] (per vector of input tokens) each time it becomes pre-enabled to determine its time of enabling. In the case of competing enablings, the fol lowing rules apply: R0 The firing of an immediate transition has priority over the firing of a guard or a delay transition. R1 If one transition becomes e nabled by two or more sets of input tokens at exactly the same time, and the firing of any one set will not disable one or more other sets, then it will fire these sets of tokens independently, at the same time. R2 If one transition becomes e nabled by two or more sets of input tokens at exactly the same time, and the firing of any one set disables one or more oth er sets, then the set that is fired is selected randomly, with the same probability for each set. R3 If two or more transitions become enabled at exactly the same time and the firing of any one transition will not disable the other transitions, then they will fire at the same time. HybridstatePetrinetswhichhavetheanalysispower ofstochastichybridsystemsandtheformalvericationpowerofautomata 233 • G = {G T ; T ∈ T G } is a set of tr ansition guards. For each T ∈ T G , it contains a tran- sition guard G T , which is an open subset in C(P(A in,OE (T))) with boundary ∂G T . If C(P(A in,OE (T))) = R 0 then ∂G T = ∅. 3 There is no requirement that G T be connected. • D = {D T ; T ∈ T D } is a set of transition delay rates. For each T ∈ T D , it contains a locally integrable transition delay rate D T : C(P(A in,OE (T))) → R + . If C(P(A in,OE (T))) = R 0 then D T is a constant function. 4 • F = {F T ; T ∈ T } is a set of firing measures. For each T ∈ T , it contains a firing measure F T : ({0, 1} |A out (T)| × C(P(A out (T)))) × C(P(A in,OE (T))) → [0, 1], which gen- erates the number and colours of the tokens produced when transition T fires, given the value of the vector ∈ C(P(A in,OE (T))) that collects all input tokens: For each o utput arc ( ∈ A out (T)), zero or one token is p rod uced, and if the colours of the tokens produced are collected in a vector, this vector is ∈ C(P(A out (T))). For each fixed H ⊂ C(P(A out (T))), F T (H; ·) is measurable. For any c ∈ C(P(A in,OE (T))), F T (·; c) is a probability measure. Here, {0, 1} |A out (T)|  {(e 1 , . . . , e |A out (T)| ); e i ∈ {0, 1}, i = 1, . . . , |A out (T)|}. For the places, transitions and arcs, the graphical notation is as i n Figure 3. Place Guard transition G Delay transition D Immediate transition I Ordinary arc Enabling arc Inhibitor arc Fig. 3. Graphical notation for places, transitions and arcs in an SDCPN 2.2 SDCPN execution The execution of an SDCPN provides a series of increasing stopping times, 0 = τ 0 < τ 1 < τ 2 < · · · , with for t ∈ (τ k , τ k+1 ) a fixed number of tokens per place and per token a co lour which is the solution of a stochastic differential equation. It uses a sequence {U i ; i = 0, 1, . . .} of inde p endent uniform U[0, 1] random variables, and independent sequences of mutually independent standard Brownian motions {B i,P t ; i = 1, 2, . . .} of appropriate dimensions, one sequence for each place P. Initiation The probability measure I characterises an initial marking at τ 0 , i. e. it gives each place P ∈ P zero or more tokens and gives each token in P a colour in C(P), i.e. a Euclidean-valued vector. Define the inverse of I by a measurable function I inv : [0, 1] → N |P| × C(P) N such that µ L {u | I inv (u) ∈ H} = I(H), for H Borel measurable and µ L the Lebesgue measure. Then the initial marking is a hybrid random vector characterised by (M 0 , C 0 ) = I inv (U 0 ). Here, M 0 is a |P|-dimensional vector of non-negative integers, the ith component M i,0 of which denotes 3 In earlier SDCPN definitions, the transition guard was d efined as a Boolean function that evaluated to True if the boundary of an open subset was hit by the inp ut token colours. Without losing generality, the transition guard is now defined to be the open subset itself. 4 In earlier SDCPN definitions, the transition delay was defined as a probability distribution function that made use of an integrable transition delay rate. Without losing generality, the transition delay is now defined to be the delay rate itself. the number of tokens initially in place P i , i = 1, . . . |P|, and C 0 is a ∑ |P| i=1 M i,0 n(P i )-dimensional Euclidean-valued random vector which provides the colours of the initial tokens. If M 1,0 ≥ 1 then the first n (P 1 ) components of C 0 are assigned to the first token in P 1 . If M 1,0 ≥ 2 then the next n (P 1 ) components of C 0 are assigned to the second token in P 1 , etc., until all tokens i n P 1 have their assigned colour. The following components of C 0 are assigned to tokens in places P 2 , . . . , P |P| in the same way. If C(P) = R 0 then the tokens in P get no colour. Token colour evolution For each token in each p lace P for which C(P) = R 0 : if the co lour of this token is equal to C P 0 at time t = τ 0 , and if this tok en is still in this place at time t > τ 0 , then the colour C P t of this token eq uals the probabilistically unique solution of the stochastic differential eq uation dC P t = V P (C P t )dt + W P (C P t )dB i,P t with initial condition C P τ 0 = C P 0 , and with {B i,P t } an h(P) - dimensional standard Brownian motion. The first token, if any, in place P uses Brownian motion {B 1,P t }; the second token, if any, uses {B 2,P t }, etc. Each token in a place for which C(P) = R 0 remains without colour. Transition enabling A transition T is pre-enabled if it has at least one token per incoming ordinary and enabling arc in each of its input places and has no token in places to which it is connected by an inhibitor arc. For each transition T that is pre-enabled at τ 0 , consider one token per ordinary and en- abling arc in its input places and write C T t ∈ C(P(A in,OE (T))), t ≥ τ 0 , as the column vector containing the colours of these tokens; C T t evolves through time according to its correspond- ing token colour functions of the places in P (A in,OE (T)). If this vector is not unique (i.e., if one input place contains several tokens per arc), all possible such vectors are executed in parallel. Hence, a transition can be pre-enabled by multiple combinations of input toke ns in parallel. A transition T is enabled if it is pre-e nabled and a second requirement holds true. For T ∈ T I , the second requirement automatically holds true at the time of pre-enabling. For T ∈ T G , the second requirement holds true when C T t ∈ ∂G T . For T ∈ T D , the second requirement holds true at t = τ 0 + σ T 1 , where σ T 1 is generated from a probability distribution function D T (t − τ 0 ) = 1 − exp(−  t τ 0 D T (C T s )ds), i.e. σ T 1 = D inv T (U), where D inv T is the inverse of D T (t − τ 0 ) defined by D inv T (u) = inf{t − τ 0 | exp(−  t τ 0 D T (C T s )ds) ≤ u}, with inf{ } = +∞. Each delay transition uses one new uniform random variable U ∼ U[0, 1] (per vector of input tokens) each time it becomes pre-enabled to determine its time of enabling. In the case of competing enablings, the fol lowing rules apply: R0 The firing of an immediate transition has priority over the firing of a guard or a delay transition. R1 If one transition becomes e nabled by two or more sets of input tokens at exactly the same time, and the firing of any one set will not disable one or more other sets, then it will fire these sets of tokens independently, at the same time. R2 If one transition becomes e nabled by two or more sets of input tokens at exactly the same time, and the firing of any one set disables one or more oth er sets, then the set that is fired is selected randomly, with the same probability for each set. R3 If two or more transitions become enabled at exactly the same time and the firing of any one transition will not disable the other transitions, then they will fire at the same time. PetriNets:Applications234 R4 If two or more transitions become enabled at exactly the same time and the firing of any one transition disables some other transitions, then each combination of transitions that can fire independently without leaving enabled transitions gets the same probability of firing. By these rules and their co mbinations, if a transition is enabled in a particular set of tokens, then it i s either fired or it is disabled (in this set of tokens) by the fir ing of another transition. Transition firing If T is enabled, suppose this occurs at time τ 1 and in a particular vector of token colours C T τ 1 , it removes one token per arc in A in,O (T) corresponding with C T τ 1 from each of its input places (i.e. tokens are not removed along enabling arcs). Next, T produces zero or one token along each output arc: If (e T τ 1 , a T τ 1 ) is a random hybrid vector generated from probability measure F T (·; C T τ 1 ), then vector e T τ 1 ∈ {0, 1} |A out (T)| is an |A out (T)|-dimensional vector of zeros and ones, where the ith vector element corresponds with the ith outgoing arc of transition T. An output place gets a token iff it is connected to an arc that corresponds with a vector element 1. Moreover, a T τ 1 ∈ C(P(A out (T))) specifies the colours of the produced tokens, i.e. if the first 1 in e T τ 1 corresponds with an arc from T to P j , then the first n(P j ) elements in vector a T τ 1 are assigned to the token produced in output place P j . The remaining elements in a T τ 1 are assigned to other tokens in the same way. The random hybrid vector from F T (·; C T τ 1 ) is characterised by defining the inverse of F T (·; C T τ 1 ) as a measurable function F inv T : [0, 1] × C(P(A in,OE (T))) → { 0, 1} |A out (T)| × C(P(A out (T))) such that µ L {u | F inv T (u, c) ∈ H} = F T (H; c) for H in the Borel set of {0, 1} |A out (T)| × C(P(A out (T))) and µ L is the Lebesgue measure. Then (e T τ 1 , a T τ 1 ) = F inv T (U, C T τ 1 ). Each firing transition uses one new uniform random vari able U ∼ U[0, 1] per firing to determine its output tokens. Execution from first transition firing onwards At t = τ 1 , zero or more transitions are pre-enabled (if this number is zero, no transitions will fire anymore). If these include immediate transitions, then these are fired without delay, but with use of rules R0–R4. If after this, still immediate transitions are enabled, then these are also fired, and so forth, until no more immediate transitions are enabled. Each of the immediate transitions that fire uses their firing measure and one uniform random vari able (per firing) to determine the number and colo urs of their output tokens. Next, the SDCPN is executed in the same way as described above for the situation from τ 0 onwards. In order to keep track of the identity of individual tokens, the tokens in a place are ordered according to the time at which they entered the place, or, if several tokens are produced for one place at the same time, according to the order within the set of arcs A = {A 1 , . . . , A |A| } along which these tokens were produced (the firing measure produces zero or one token along each output arc). If due to rule R1, a transition fires two or more tokens along one arc at the same time, their assigned order is according to the colours they have (smallest co lour first). If under these conditions, two tokens have exactly the same colour, they are indistinguishable and the marking will not be dependent on their order. 2.3 SDCPN stochastic process The marking of the SDCPN is given by the numbers of tokens in the places and the associated colour values of these tokens. Due to the uniquely defined order of the tokens, the mark ing is unique except possibly when one or more transitions fire (particularly, immediate transitions fire without delay hence a sequence of immediate transitions firing will generate a s equence of markings at the same time instant). The SDCPN marking at each time instant can be mapped to a probabilistically unique SDCPN stochastic process {M t , C t } as follows: For any t ≥ τ 0 , let a token distribution be characterised by the vector M  t = (M  1,t , . . . , M  |P| ,t ), where M  i,t ∈ N denotes the number of tokens in place P i at time t and 1, . . . , |P| refers to a unique ordering of places adopted for SDCPN. At times t ∈ (τ k−1 , τ k ) when no transition fires, the token distribution is unique and the SDCPN discrete process state M t is defined to be equal to M  t . The associated colours of these tokens are gathered in a column vector C t which first contains all colours of tokens in place P 1 , next (i.e. below it) all colours of tokens in place P 2 , etc, until place P |P| , where 1, . . . , |P| refer s to a unique ordering of places adopted for SDCPN. Within a place the colours of the tokens are ordered according to the unique ordering of tokens within their place defined for SDCPN (see under SDCPN execution above). If at time t = τ k one or more transitions fire, then the set of applicable token distributions is collected in  M τ k = {M  τ k | M  τ k is a token distribution at time τ k }, and the SDCPN discrete process state at time τ k is defined by M τ k = {M  τ k | M  τ k ∈  M τ k and no transitions are enabled in M  τ k }. In other words, M τ k is defined to be the token distribution that occurs after all tran- sitions that fire at time τ k have been fired. The associated colours of these tokens are gathered in a column vector C τ k in the same way as described above. This construction ensures that the process {M t , C t } has limits from the left and is continuous from the right, i .e., it satisfies the càdlàg property. If at a time t when one or more transitions fire, the process {M t } jumps to the same value again, and only C t makes a jump, then the càdlàg property for {C t } (hence for {M t , C t }) is s til l maintained due to the timing construction of {M t } above and the direct coupling of {C t } with {M t }. 3. GSHS This section presents, following (Bujorianu & Lygeros, 2006), a definition of general stochastic hybrid system (GSHS) and its execution. Definition 3.1 (General stochastic hybrid system). A GSHS is an automaton (K, d, X , f , g, Init, λ, Q), where • K is a countable set. • d : K → N maps each θ ∈ K to a natural number. • X : K → {E θ ; θ ∈ K} maps each θ ∈ K to an open subset E θ of R d(θ) . With this, the hybrid state space is given by E  { {θ} × E θ ; θ ∈ K}. • f : E → {R d(θ) ; θ ∈ K} is a vector field. • g : E → {R d(θ)×h ; θ ∈ K} is a matrix field, with h ∈ N. • Init: B(E) → [0, 1] is an initial probability measure, with B(E) the Borel σ-algebra on E. • λ : E → R + is a jump rate function. • Q : B(E) × (E ∪ ∂E) → [0, 1] is a GSHS transition measure, where ∂E  {{θ} × ∂ E θ ; θ ∈ K} is the boun dary of E, in which ∂E θ is the boundary of E θ . Definition 3.2 (GSHS execution). A stochastic process {θ t , X t } is called a GSHS execution if there exists a sequence of stopping times 0 = τ 0 < τ 1 < τ 2 · · · such that for each k ∈ N: • (θ 0 , X 0 ) is an E-valued random variable extracted according to probability measure Init. HybridstatePetrinetswhichhavetheanalysispower ofstochastichybridsystemsandtheformalvericationpowerofautomata 235 R4 If two or more transitions become enabled at exactly the same time and the firing of any one transition disables some other transitions, then each combination of transitions that can fire independently without leaving enabled transitions gets the same probability of firing. By these rules and their co mbinations, if a transition is enabled in a particular set of tokens, then it i s either fired or it is disabled (in this set of tokens) by the fir ing of another transition. Transition firing If T is enabled, suppose this occurs at time τ 1 and in a particular vector of token colours C T τ 1 , it removes one token per arc in A in,O (T) corresponding with C T τ 1 from each of its input places (i.e. tokens are not removed along enabling arcs). Next, T produces zero or one token along each output arc: If (e T τ 1 , a T τ 1 ) is a random hybrid vector generated from probability measure F T (·; C T τ 1 ), then vector e T τ 1 ∈ {0, 1} |A out (T)| is an |A out (T)|-dimensional vector of zeros and ones, where the ith vector element corresponds with the ith outgoing arc of transition T. An output place gets a token iff it is connected to an arc that corresponds with a vector element 1. Moreover, a T τ 1 ∈ C(P(A out (T))) specifies the colours of the produced tokens, i.e. if the first 1 in e T τ 1 corresponds with an arc from T to P j , then the first n(P j ) elements in vector a T τ 1 are assigned to the token produced in output place P j . The remaining elements in a T τ 1 are assigned to other tokens in the same way. The random hybrid vector from F T (·; C T τ 1 ) is characterised by defining the inverse of F T (·; C T τ 1 ) as a measurable function F inv T : [0, 1] × C(P(A in,OE (T))) → { 0, 1} |A out (T)| × C(P(A out (T))) such that µ L {u | F inv T (u, c) ∈ H} = F T (H; c) for H in the Borel set of {0, 1} |A out (T)| × C(P(A out (T))) and µ L is the Lebesgue measure. Then (e T τ 1 , a T τ 1 ) = F inv T (U, C T τ 1 ). Each firing transition uses one new uniform random vari able U ∼ U[0, 1] per firing to determine its output tokens. Execution from first transition firing onwards At t = τ 1 , zero or more transitions are pre-enabled (if this number is zero, no transitions will fire anymore). If these include immediate transitions, then these are fired without delay, but with use of rules R0–R4. If after this, still immediate transitions are enabled, then these are also fired, and so forth, until no more immediate transitions are enabled. Each of the immediate transitions that fire uses their firing measure and one uniform random vari able (per firing) to determine the number and colo urs of their output tokens. Next, the SDCPN is executed in the same way as described above for the situation from τ 0 onwards. In order to keep track of the identity of individual tokens, the tokens in a place are ordered according to the time at which they entered the place, or, if several tokens are produced for one place at the same time, according to the order within the set of arcs A = {A 1 , . . . , A |A| } along which these tokens were produced (the firing measure produces zero or one token along each output arc). If due to rule R1, a transition fires two or more tokens along one arc at the same time, their assigned order is according to the colours they have (smallest co lour first). If under these conditions, two tokens have exactly the same colour, they are indistinguishable and the marking will not be dependent on their order. 2.3 SDCPN stochastic process The marking of the SDCPN is given by the numbers of tokens in the places and the associated colour values of these tokens. Due to the uniquely defined order of the tokens, the mark ing is unique except possibly when one or more transitions fire (particularly, immediate transitions fire without delay hence a sequence of immediate transitions firing will generate a s equence of markings at the same time instant). The SDCPN marking at each time instant can be mapped to a probabilistically unique SDCPN stochastic process {M t , C t } as follows: For any t ≥ τ 0 , let a token distribution be characterised by the vector M  t = (M  1,t , . . . , M  |P| ,t ), where M  i,t ∈ N denotes the number of tokens in place P i at time t and 1, . . . , |P| refers to a unique ordering of places adopted for SDCPN. At times t ∈ (τ k−1 , τ k ) when no transition fires, the token distribution is unique and the SDCPN discrete process state M t is defined to be equal to M  t . The associated colours of these tokens are gathered in a column vector C t which first contains all colours of tokens in place P 1 , next (i.e. below it) all colours of tokens in place P 2 , etc, until place P |P| , where 1, . . . , |P| refer s to a unique ordering of places adopted for SDCPN. Within a place the colours of the tokens are ordered according to the unique ordering of tokens within their place defined for SDCPN (see under SDCPN execution above). If at time t = τ k one or more transitions fire, then the set of applicable token distributions is collected in  M τ k = {M  τ k | M  τ k is a token distribution at time τ k }, and the SDCPN discrete process state at time τ k is defined by M τ k = {M  τ k | M  τ k ∈  M τ k and no transitions are e nabled in M  τ k }. In other words, M τ k is defined to be the token distribution that occurs after all tran- sitions that fire at time τ k have been fired. The associated colours of these tokens are gathered in a column vector C τ k in the same way as described above. This construction ensures that the process {M t , C t } has limits from the left and is continuous from the right, i .e., it satisfies the càdlàg property. If at a time t when one or more transitions fire, the process {M t } jumps to the same value again, and only C t makes a jump, then the càdlàg property for {C t } (hence for {M t , C t }) is s til l maintained due to the timing construction of {M t } above and the direct coupling of {C t } with {M t }. 3. GSHS This section presents, following (Bujorianu & Lygeros, 2006), a definition of general stochastic hybrid system (GSHS) and its execution. Definition 3.1 (General stochastic hybrid system). A GSHS is an automaton (K, d, X , f , g, Init, λ, Q), where • K is a countable set. • d : K → N maps each θ ∈ K to a natural number. • X : K → {E θ ; θ ∈ K} maps each θ ∈ K to an open subset E θ of R d(θ) . With this, the hybrid state space is given by E  { {θ} × E θ ; θ ∈ K}. • f : E → {R d(θ) ; θ ∈ K} is a vector field. • g : E → {R d(θ)×h ; θ ∈ K} is a matrix field, with h ∈ N. • Init: B(E) → [0, 1] is an initial probability measure, with B(E) the Borel σ-algebra on E. • λ : E → R + is a jump rate function. • Q : B(E) × (E ∪ ∂E) → [0, 1] is a GSHS transition measure, where ∂E  {{θ} × ∂ E θ ; θ ∈ K} is the boun dary of E, in which ∂E θ is the boundary of E θ . Definition 3.2 (GSHS execution). A stochastic process {θ t , X t } is called a GSHS execution if there exists a sequence of stopping times 0 = τ 0 < τ 1 < τ 2 · · · such that for each k ∈ N: • (θ 0 , X 0 ) is an E-valued random variable extracted according to probability measure Init. PetriNets:Applications236 • For t ∈ [τ k , τ k+1 ), θ t = θ τ k and X t = X k t , where for t ≥ τ k , X k t is a solution of the stochastic differential equation dX k t = f (θ τ k , X k t )dt + g(θ τ k , X k t )dB θ τ k t with initial condition X k τ k = X τ k , and where {B θ t } is h-dimensional standard Brownian motion for each θ ∈ K. • τ k+1 = τ k + σ k , where σ k is chosen according to a survivor function given by F(t) = 1 (t<τ ∗ ) exp(−  t 0 λ(θ, X k s )ds). Here, τ ∗ = inf{t > τ k | X k t ∈ ∂E θ τ k } and 1 is indicator function. • The probability distribution of (θ τ k+1 , X τ k+1 ), i.e. the hybrid state right after the jump, is gov- erned by the law Q (·; (θ τ k , X τ k+1 − )). (Bujorianu & Lygeros, 2006) show that under assumptions G1-G4 below, a GSHS execution is a strong Markov Process and has the càdlàg property (right continuous with lef t hand limits). G1 f (θ, ·) and g(θ, ·) are Lipschitz continuous and bounded. This yields that for each ini- tial state (θ, x) at initial time τ there exists a pathwise unique solution X t to dX t = f (θ, X t )dt + g(θ, X t )dB t , where {B t } is h-dimensional standard Brownian motion. G2 λ : E → R + is a measurable function such that for all ξ ∈ E, there is (ξ) > 0 such that t → λ(θ t , X t ) is integrable on [0,  (ξ)). G3 For each fixe d A ∈ B(E), the map ξ → Q(A; ξ) is measurable and for any (θ, x) ∈ E ∪ ∂E, Q(·; θ, x) is a probability measure. G4 If N t = ∑ k 1 (t≥τ k ) , then it is assumed that for every starting po int (θ, x) and for all t ∈ R + , EN t < ∞. T his means, there will be a finite number of jumps in finite time. 4. HSDE This section p resents, following (Blom, 2003) and (Blom et al., 2003), a definition of hybrid stochastic differential equation (HSDE) and gives conditions under which the HSDE has a path- wise unique so lution. This pathwise unique solution is referred to as HSDE solution process or GSHP. The basic advantage of using HSDE in defining a GSHP over using GSHS is that with the HSDE approach the spontaneous jump mechanism is exp licitly built on an underlying stochastic basis, whereas in GSHS the execution itself imposes an underlying stochastic basis. The differences are further discussed in Section 4.3. For the HSDE setting we start with a complete stochastic basis (Ω,  , F, P, T), in which a complete probability space (Ω, , P) is equipped with a right-continuous filtration F = { t } on the positive time line T = R + . This stochastic basis is endowed with a probability measure µ θ 0 ,X 0 for the initial state, an independent h-dimensional standard Wiener process {W t } and an independent homogeneous Poisson random measure p P (dt, dz) on T × R d+1 . Definition 4.1 (Hybrid stochastic differential equation). An HSDE on stochastic basis (Ω, , F, P, T), is defined as a set of equations (1)-(8) in which a collection of elements (M , E, f, g, µ θ 0 ,X 0 , Λ, ψ, ρ, µ, p P , {W t }) appear. This section is organised as follows: Section 4.1 e xplains the elements and the equations (1)- (8) that define HSDE. Section 4.2 shows that under a number of HSDE conditions H1-H8, the HSDE has a pathwise unique solution which is a semi-martingale. Section 4.3 discusses the differences between GSHP as solution of HSDE and GSHP as execution of GSHS. 4.1 HSDE elements and equations This section p resents the elements and equations that define a HSDE on a hybrid state space. The elements (M, E, f , g, µ θ 0 ,X 0 , Λ, ψ, ρ, µ, p P , {W t }) are defined as follows: • M = {ϑ 1 , . . . , ϑ N } is a finite se t, N ∈ N, 1 ≤ N < ∞. • E = {{θ} × E θ ; θ ∈ M} is the hybrid state space, where for each θ ∈ M, E θ is an open subset of R n with boundary ∂E θ . T he boundary of E is ∂E = {{θ} × ∂E θ ; θ ∈ M}. • f : M × R n → R n is a measurable mapping. • g : M × R n → R n×h is a measurable mapping. • µ θ 0 ,X 0 : Ω × B(E) → [0, 1] is a probability measure for the initial random variables θ 0 , X 0 , which are defined on the stochastic basis; µ θ 0 ,X 0 is assumed to be invertible. • Λ : M × R n → [0, ∞) is a measurable mapping. • ψ : M × M × R n × R d → R n is a measurable mapping such that x + ψ(ϑ, θ, x, z ) ∈ E ϑ for all x ∈ E θ , z ∈ R d , and ϑ, θ ∈ M. • ρ : M × M × R n → [ 0, ∞) is a measurable mapping such that ∑ N i =1 ρ(ϑ i , θ, x) = 1 for all θ ∈ M, x ∈ R n . • µ : Ω × R d → [ 0, 1] is a probability measure which is assumed to be i nvertible. • p P : Ω × T × R d+1 → {0, 1} is a homogeneous Poisson random measure on the stochastic basis, independent of (θ 0 , X 0 ). The intensity measure of p P (dt, dz) equals dt · µ L (dz 1 ) · µ(dz ), where z = Col{z 1 , z} and µ L is the Lebesgue measure. • W : Ω × T → R h such that {W t } is an h-dimensional standard Wiener process on the stochastic basis, and independent of (θ 0 , X 0 ) and p P . Using these elements, the HSDE process {θ ∗ t , X ∗ t } is defined as follows: θ ∗ t = θ k t for all t ∈ [τ b k , τ b k +1 ), k = 0, 1, 2, . . . (1) X ∗ t = X k t for all t ∈ [τ b k , τ b k +1 ), k = 0, 1, 2, . . . (2) Hence {θ ∗ t , X ∗ t } consists of a concatenation of processes {θ k t , X k t } which are defined by (3)-(8) below. If the system (1)-(8) has a solution in probabilistic sense, then the process {θ ∗ t , X ∗ t } is referred to as HSDE solution process or GSHP. dθ k t = N ∑ i=1 (ϑ i − θ k t − )p P (dt, (Σ i−1 (θ k t − , X k t − ), Σ i (θ k t − , X k t − )] × R d ) (3) dX k t = f (θ k t , X k t )dt + g(θ k t , X k t )dW t +  R d ψ(θ k t , θ k t − , X k t − , z )p P (dt, (0, Λ(θ k t − , X k t − )] × dz) (4) with θ 0 0 = θ 0 , X 0 0 = X 0 and with Σ 0 through Σ N measurable mappings satisfyi ng, for θ ∈ M, ϑ j ∈ M, x ∈ R n : Σ i (θ, x) =  Λ (θ, x) ∑ i j =1 ρ(ϑ j , θ, x) if i > 0 0 if i = 0 (5) In addition, f or k = 0, 1, 2, . . ., with τ b 0 = 0: τ b k +1  inf{t > τ b k | (θ k t , X k t ) ∈ ∂E} (6) P {θ k+1 τ b k +1 = ϑ, X k+1 τ b k +1 ∈ A | θ k τ b k +1 − = θ, X k τ b k +1 − = x} = Q({ϑ} × A; θ, x ) (7) for A ∈ B(R n ), where Q is given by Q ({ϑ} × A; θ, x) = ρ(ϑ, θ, x)  R d 1 A (x + ψ(ϑ, θ, x, z))µ(dz) (8) HybridstatePetrinetswhichhavetheanalysispower ofstochastichybridsystemsandtheformalvericationpowerofautomata 237 • For t ∈ [τ k , τ k+1 ), θ t = θ τ k and X t = X k t , where for t ≥ τ k , X k t is a solution of the stochastic differential equation dX k t = f (θ τ k , X k t )dt + g(θ τ k , X k t )dB θ τ k t with initial condition X k τ k = X τ k , and where {B θ t } is h-dimensional standard Brownian motion for each θ ∈ K. • τ k+1 = τ k + σ k , where σ k is chosen according to a survivor function given by F(t) = 1 (t<τ ∗ ) exp(−  t 0 λ(θ, X k s )ds). Here, τ ∗ = inf{t > τ k | X k t ∈ ∂E θ τ k } and 1 is indicator function. • The probability distribution of (θ τ k+1 , X τ k+1 ), i.e. the hybrid state right after the jump, is gov- erned by the law Q (·; (θ τ k , X τ k+1 − )). (Bujorianu & Lygeros, 2006) show that under assumptions G1-G4 below, a GSHS execution is a strong Markov Process and has the càdlàg property (right continuous with lef t hand limits). G1 f (θ, ·) and g(θ, ·) are Lipschitz continuous and bounded. This yields that for each ini- tial state (θ, x) at initial time τ there exists a pathwise unique solution X t to dX t = f (θ, X t )dt + g(θ, X t )dB t , where {B t } is h-dimensional standard Brownian motion. G2 λ : E → R + is a measurable function such that for all ξ ∈ E, there is (ξ) > 0 such that t → λ(θ t , X t ) is integrable on [0,  (ξ)). G3 For each fixe d A ∈ B(E), the map ξ → Q(A; ξ) is measurable and for any (θ, x) ∈ E ∪ ∂E, Q(·; θ, x) is a probability measure. G4 If N t = ∑ k 1 (t≥τ k ) , then it is assumed that for every starting po int (θ, x) and for all t ∈ R + , EN t < ∞. T his means, there will be a finite number of jumps in finite time. 4. HSDE This section p resents, following (Blom, 2003) and (Blom et al., 2003), a definition of hybrid stochastic differential equation (HSDE) and gives conditions under which the HSDE has a path- wise unique so lution. This pathwise unique solution is referred to as HSDE solution process or GSHP. The basic advantage of using HSDE in defining a GSHP over using GSHS is that with the HSDE approach the spontaneous jump mechanism is exp licitly built on an underlying stochastic basis, whereas in GSHS the execution itself imposes an underlying stochastic basis. The differences are further discussed in Section 4.3. For the HSDE setting we start with a complete stochastic basis (Ω,  , F, P, T), in which a complete probability space (Ω, , P) is equipped with a right-continuous filtration F = { t } on the positive time line T = R + . This stochastic basis is endowed with a probability measure µ θ 0 ,X 0 for the initial state, an independent h-dimensional standard Wiener process {W t } and an independent homogeneous Poisson random measure p P (dt, dz) on T × R d+1 . Definition 4.1 (Hybrid stochastic differential equation). An HSDE on stochastic basis (Ω, , F, P, T), is defined as a set of equations (1)-(8) in which a collection of elements (M , E, f, g, µ θ 0 ,X 0 , Λ, ψ, ρ, µ, p P , {W t }) appear. This section is organised as follows: Section 4.1 e xplains the elements and the equations (1)- (8) that define HSDE. Section 4.2 shows that under a number of HSDE conditions H1-H8, the HSDE has a pathwise unique solution which is a semi-martingale. Section 4.3 discusses the differences between GSHP as solution of HSDE and GSHP as execution of GSHS. 4.1 HSDE elements and equations This section p resents the elements and equations that define a HSDE on a hybrid state space. The elements (M, E, f , g, µ θ 0 ,X 0 , Λ, ψ, ρ, µ, p P , {W t }) are defined as follows: • M = {ϑ 1 , . . . , ϑ N } is a finite se t, N ∈ N, 1 ≤ N < ∞. • E = {{θ} × E θ ; θ ∈ M} is the hybrid state space, where for each θ ∈ M, E θ is an open subset of R n with boundary ∂E θ . T he boundary of E is ∂E = {{θ} × ∂E θ ; θ ∈ M}. • f : M × R n → R n is a measurable mapping. • g : M × R n → R n×h is a measurable mapping. • µ θ 0 ,X 0 : Ω × B(E) → [0, 1] is a probability measure for the initial random variables θ 0 , X 0 , which are defined on the stochastic basis; µ θ 0 ,X 0 is assumed to be invertible. • Λ : M × R n → [0, ∞) is a measurable mapping. • ψ : M × M × R n × R d → R n is a measurable mapping such that x + ψ(ϑ, θ, x, z ) ∈ E ϑ for all x ∈ E θ , z ∈ R d , and ϑ, θ ∈ M. • ρ : M × M × R n → [ 0, ∞) is a measurable mapping such that ∑ N i =1 ρ(ϑ i , θ, x) = 1 for all θ ∈ M, x ∈ R n . • µ : Ω × R d → [ 0, 1] is a probability measure which is assumed to be i nvertible. • p P : Ω × T × R d+1 → {0, 1} is a homogeneous Poisson random measure on the stochastic basis, independent of (θ 0 , X 0 ). The intensity measure of p P (dt, dz) equals dt · µ L (dz 1 ) · µ(dz ), where z = Col{z 1 , z} and µ L is the Lebesgue measure. • W : Ω × T → R h such that {W t } is an h-dimensional standard Wiener process on the stochastic basis, and independent of (θ 0 , X 0 ) and p P . Using these elements, the HSDE process {θ ∗ t , X ∗ t } is defined as follows: θ ∗ t = θ k t for all t ∈ [τ b k , τ b k +1 ), k = 0, 1, 2, . . . (1) X ∗ t = X k t for all t ∈ [τ b k , τ b k +1 ), k = 0, 1, 2, . . . (2) Hence {θ ∗ t , X ∗ t } consists of a concatenation of processes {θ k t , X k t } which are defined by (3)-(8) below. If the system (1)-(8) has a solution in probabilistic sense, then the process {θ ∗ t , X ∗ t } is referred to as HSDE solution process or GSHP. dθ k t = N ∑ i=1 (ϑ i − θ k t − )p P (dt, (Σ i−1 (θ k t − , X k t − ), Σ i (θ k t − , X k t − )] × R d ) (3) dX k t = f (θ k t , X k t )dt + g(θ k t , X k t )dW t +  R d ψ(θ k t , θ k t − , X k t − , z )p P (dt, (0, Λ(θ k t − , X k t − )] × dz) (4) with θ 0 0 = θ 0 , X 0 0 = X 0 and with Σ 0 through Σ N measurable mappings satisfyi ng, for θ ∈ M, ϑ j ∈ M, x ∈ R n : Σ i (θ, x) =  Λ (θ, x) ∑ i j =1 ρ(ϑ j , θ, x) if i > 0 0 if i = 0 (5) In addition, f or k = 0, 1, 2, . . ., with τ b 0 = 0: τ b k +1  inf{t > τ b k | (θ k t , X k t ) ∈ ∂E} (6) P {θ k+1 τ b k +1 = ϑ, X k+1 τ b k +1 ∈ A | θ k τ b k +1 − = θ, X k τ b k +1 − = x} = Q({ϑ} × A; θ, x ) (7) for A ∈ B(R n ), where Q is given by Q ({ϑ} × A; θ, x) = ρ(ϑ, θ, x)  R d 1 A (x + ψ(ϑ, θ, x, z))µ(dz) (8) PetriNets:Applications238 4.2 HSDE solution This subsection shows that under a set of sufficient conditions H1-H8, the HSDE (1)-(8) has a pathwise unique solution. Note that the existence of a pathwise unique solution guarantees the existence of a unique solution in probabilistic sense. Proposition 4.1. Let conditions H1-H8 below hold true. Let (θ ∗ 0 (ω), X ∗ 0 (ω)) = (θ 0 , X 0 ) ∈ E for all ω. Then for every initial condition (θ 0 , X 0 ), (1)-(8) has a pathwise unique solution {θ ∗ t , X ∗ t } which is càdlàg and adapted and is a semi-martingale assuming valu es in the hybrid state space E. H1 For all θ ∈ M there exists a constant K(θ) such that for all x ∈ R n , | f (θ, x)| 2 +  g(θ, x)) 2 ≤ K(θ)( 1 + |x| 2 ), where |a| 2 = ∑ i (a i ) 2 and ||b|| 2 = ∑ i,j (b ij ) 2 . H2 For all r ∈ N and for all θ ∈ M there exists a constant L r (θ) such that for all x and y in the ball B r = {z ∈ R n | |z| ≤ r + 1}, | f (θ, x) − f (θ, y)| 2 + g(θ, x) − g(θ, y) 2 ≤ L r (θ)|x − y| 2 . H3 For each θ ∈ M, the mapping Λ(θ, ·) : R n → [0, ∞) is continuous and bounded, with upper bound a constant C Λ . H4 For all (θ, ϑ) ∈ M 2 , the mapping ρ (ϑ, θ, ·) : R n → [0, ∞) is continuous. H5 For all r ∈ N there exists a constant M r (θ) such that sup |x|≤r  R d |ψ(ϑ, θ, x, z )|µ(dz) ≤ M r (θ), for all ϑ, θ ∈ M H6 |ψ(θ, θ, x, z )| = 0 or > 1 for all θ ∈ M, x ∈ R n , z ∈ R d H7 {(θ ∗ t , X ∗ t )} hits the boundary ∂ E a finite number of times on any finite time interval H8 |ϑ i − ϑ j | > 1 for i = j, with | · | a suitable metric well defined on M. (Blom, 2003) has used (Lepeltier & Marchal, 1976) to prove a version of Proposition 4.1 where E = M × R n , i.e. there are no boundaries with instantaneous jumps. Subsequently, (Blom et al., 2003) have proven the proposition under H1-H8 and the additional co ndi tio n that {τ b k } is a sequence of predictable stopping times. (Krystul, 2006; Krystul & Blom, 2005) have shown that this additional condition can be removed. An overview of various HSDE versions is given in (Krystul et al., 2007). 4.3 Discussion of HSDE versus GSHS HSDE and GSHS have a lot of similarities . Both concatenate different solutions of SDEs with hybrid jumps at each moment of switching to another SDE. Hence the differences are of a rather technical nature. This section collects these technical differences between GSHS and its GSHP execution, versus HSDE and its GSHP solution: 1. For GSHS, the discrete state space is a countable space of discrete variables. For HSDE, the discrete state space is a finite set. 2. For GSHS, the continuous state i s Euclidean with a dimension dependent on θ. For HSDE, the continuous state is Euclidean with constant dimension n. 3. The times of spontaneous jump of the GSHS execution are driven by a survivor function which imposes a stochastic basis. For HSDE, the times of spontaneous jumps are driven by a Poisson random measure endowed upon a given stochastic basis. 4. For GSHS, the size of jump is driven by a transition measure Q. For HSDE, the jump size is determined by probability measure µ and measurable mappings ψ and ρ. 5. GSHS involves |K| Brownian motions. HSDE involves one Wiener process only. 6. For GSHS, the drift and diffusion coefficient are assumed (globally) Lipschitz and bounded. For HSDE, the drif t and dissusion coefficient are locally Lipschitz and are allowed to grow with the continuous state. For 1) and 2), GSHS has as advantage of bei ng more general than HSDE. HSDE however has significant advantages regarding issues 3)-6): Regarding 3)-5), HSDE has the advantage that this allows to establish the semi-martingale property. Regarding 6), HSDE removes the particular restriction of GSHS which excludes jump linear systems. 5. SDCPN, GSHS and HSDE are bisimilar This section shows that for each SDCPN there exists a GSHS which i s bisimular, and there exists a HSDE which is bisimular. This is shown in the four theorems below. Theorem 5.1. Consider an arbitrary GSHS (K, d, X , f , g, Init, λ, Q) with a finite domain K. If for each θ and initial value X 0 , the stochastic differential equation dX t = f(θ, X t )dt + g(θ, X t )dB t has a unique solution in probabilistic sense, then this GSHS can be mapped into an SDCPN (P, T , A, N , S, C, I, V, W, G, D, F) satisfying R0-R4. If the resulting SDCPN is executed on a probability space endowed with standard Brownian motion (one for each place), then the resulting SDCPN process and the GSHS execution are probabilistically equivalent. Proof. See (Everdij & Blom, 2006). Theorem 5.2. Consider an arbitrary SDCPN (P, T , A, N , S, C, I, V, W, G, D, F) satisfying R0- R4. If in the initial marking no immediate transit ion is enabled, an d if the number of tokens remains finite for t → ∞, then this SDCPN can be mapped into a GSHS (K, d, X , f , g, Init, λ, Q). If the original SDCPN is executed on a probability space endowed with Brownian motion (one for each place) then the resulting GSHS execution and the SDCPN process are probabilistically equivalent. Proof. See (Everdij & Blom, 2006). Theorem 5.3 (HSDE into SDCPN). Consider an arbitrary HSDE (1)-(8) with elements (M, E , f , g, µ θ 0 ,X 0 , Λ, ψ, ρ, µ, p P , {W t }). I f for each θ the stochastic differential equation dX t = f (θ, X t )dt + g(θ, X t )dW t has a unique solution in probabilistic sense and if Λ is bounded, then the elements of this HSDE can be mapped into an SDCPN (P, T , A, N , S, C, I, V, W, G, D, F) satisfying R0– R4. If the resulting SDCPN is executed on a probability space endowed with sequences of standard Brownian motions (one sequence for each place), then the resulting SDCPN process and the HSDE solution process are probabilistically equivalent. Proof. See Appendix A. Theorem 5.4 (SDCPN into HSDE). Consider an arbitrary SDCPN (P, T , A, N , S, C, I, V, W, G, D, F) satisfying R0–R4. If in the initial marking no immediate transition is enabled, if the delay rates D T are bounded, and if the number of tokens remains finite for t → ∞, then this SDCPN can be mapped into a HSDE ( 1)-(8) with elements (M, E, f , g, µ θ 0 ,X 0 , Λ, ψ, ρ, µ, p P , {W t }). If the original SDCPN is executed on a probability space which is endowed with sequences of standard Brownian motions (one sequence for each place), then the resulting HSDE solution process and the SDCPN process are probabilistically equivalent. Proof. See Appendix B. HybridstatePetrinetswhichhavetheanalysispower ofstochastichybridsystemsandtheformalvericationpowerofautomata 239 4.2 HSDE solution This subsection shows that under a set of sufficient conditions H1-H8, the HSDE (1)-(8) has a pathwise unique solution. Note that the existence of a pathwise unique solution guarantees the existence of a unique solution in probabilistic sense. Proposition 4.1. Let conditions H1-H8 below hold true. Let (θ ∗ 0 (ω), X ∗ 0 (ω)) = (θ 0 , X 0 ) ∈ E for all ω. Then for every initial condition (θ 0 , X 0 ), (1)-(8) has a pathwise unique solution {θ ∗ t , X ∗ t } which is càdlàg and adapted and is a semi-martingale assuming valu es in the hybrid state space E. H1 For all θ ∈ M there exists a constant K(θ) such that for all x ∈ R n , | f (θ, x)| 2 +  g(θ, x)) 2 ≤ K(θ)( 1 + |x| 2 ), where |a| 2 = ∑ i (a i ) 2 and ||b|| 2 = ∑ i,j (b ij ) 2 . H2 For all r ∈ N and for all θ ∈ M there exists a constant L r (θ) such that for all x and y in the ball B r = {z ∈ R n | |z| ≤ r + 1}, | f (θ, x) − f (θ, y)| 2 + g(θ, x) − g(θ, y) 2 ≤ L r (θ)|x − y| 2 . H3 For each θ ∈ M, the mapping Λ(θ, ·) : R n → [0, ∞) is continuous and bounded, with upper bound a constant C Λ . H4 For all (θ, ϑ) ∈ M 2 , the mapping ρ (ϑ, θ, ·) : R n → [0, ∞) is continuous. H5 For all r ∈ N there exists a constant M r (θ) such that sup |x|≤r  R d |ψ(ϑ, θ, x, z )|µ(dz) ≤ M r (θ), for all ϑ, θ ∈ M H6 |ψ(θ, θ, x, z )| = 0 or > 1 for all θ ∈ M, x ∈ R n , z ∈ R d H7 {(θ ∗ t , X ∗ t )} hits the boundary ∂ E a finite number of times on any finite time interval H8 |ϑ i − ϑ j | > 1 for i = j, with | · | a suitable metric well defined on M. (Blom, 2003) has used (Lepeltier & Marchal, 1976) to prove a version of Proposition 4.1 where E = M × R n , i.e. there are no boundaries with instantaneous jumps. Subsequently, (Blom et al., 2003) have proven the proposition under H1-H8 and the additional co ndi tio n that {τ b k } is a sequence of predictable stopping times. (Krystul, 2006; Krystul & Blom, 2005) have shown that this additional condition can be removed. An overview of various HSDE versions is given in (Krystul et al., 2007). 4.3 Discussion of HSDE versus GSHS HSDE and GSHS have a lot of similarities . Both concatenate different solutions of SDEs with hybrid jumps at each moment of switching to another SDE. Hence the differences are of a rather technical nature. This section collects these technical differences between GSHS and its GSHP execution, versus HSDE and its GSHP solution: 1. For GSHS, the discrete state space is a countable space of discrete variables. For HSDE, the discrete state space is a finite set. 2. For GSHS, the continuous state i s Euclidean with a dimension dependent on θ. For HSDE, the continuous state is Euclidean with constant dimension n. 3. The times of spontaneous jump of the GSHS execution are driven by a survivor function which imposes a stochastic basis. For HSDE, the times of spontaneous jumps are driven by a Poisson random measure endowed upon a given stochastic basis. 4. For GSHS, the size of jump is driven by a transition measure Q. For HSDE, the jump size is determined by probability measure µ and measurable mappings ψ and ρ. 5. GSHS involves |K| Brownian motions. HSDE involves one Wiener process only. 6. For GSHS, the drift and diffusion coefficient are assumed (globally) Lipschitz and bounded. For HSDE, the drif t and dissusion coefficient are locally Lipschitz and are allowed to grow with the continuous state. For 1) and 2), GSHS has as advantage of bei ng more general than HSDE. HSDE however has significant advantages regarding issues 3)-6): Regarding 3)-5), HSDE has the advantage that this allows to establish the semi-martingale property. Regarding 6), HSDE removes the particular restriction of GSHS which excludes jump linear systems. 5. SDCPN, GSHS and HSDE are bisimilar This section shows that for each SDCPN there exis ts a GSHS which is bisimular, and there exists a HSDE which is bisimular. This is shown in the four theorems below. Theorem 5.1. Consider an arbitrary GSHS (K, d, X , f , g, Init, λ, Q) with a finite domain K. If for each θ and initial value X 0 , the stochastic differential equation dX t = f(θ, X t )dt + g(θ, X t )dB t has a unique solution in probabilistic sense, then this GSHS can be mapped into an SDCPN (P, T , A, N , S, C, I, V, W, G, D, F) satisfying R0-R4. If the resulting SDCPN is executed on a probability space endowed with standard Brownian motion (one for each place), then the resulting SDCPN process and the GSHS execution are probabilistically equivalent. Proof. See (Everdij & Blom, 2006). Theorem 5.2. Consider an arbitrary SDCPN (P, T , A, N , S, C, I, V, W, G, D, F) satisfying R0- R4. If in the initial marking no immediate transit ion is enabled, an d if the number of tokens remains finite for t → ∞, then this SDCPN can be mapped into a GSHS (K, d, X , f , g, Init, λ, Q). If the original SDCPN is executed on a probability space endowed with Brownian motion (one for each place) then the resulting GSHS execution and the SDCPN process are probabilistically equivalent. Proof. See (Everdij & Blom, 2006). Theorem 5.3 (HSDE into SDCPN). Consider an arbitrary HSDE (1)-(8) with elements (M, E , f , g, µ θ 0 ,X 0 , Λ, ψ, ρ, µ, p P , {W t }). I f for each θ the stochastic differential equation dX t = f (θ, X t )dt + g(θ, X t )dW t has a unique solution in probabilistic sense and if Λ is bounded, then the elements of this HSDE can be mapped into an SDCPN (P, T , A, N , S, C, I, V, W, G, D, F) satisfying R0– R4. If the resulting SDCPN is executed on a probability space endowed with sequences of standard Brownian motions (one sequence for each place), then the resulting SDCPN process and the HSDE solution process are probabilistically equivalent. Proof. See Appendix A. Theorem 5.4 (SDCPN into HSDE). Consider an arbitrary SDCPN (P, T , A, N , S, C, I, V, W, G, D, F) satisfying R0–R4. If in the initial marking no immediate transition is enabled, if the delay rates D T are bounded, and if the number of tokens remains finite for t → ∞, then this SDCPN can be mapped into a HSDE ( 1)-(8) with elements (M, E, f , g, µ θ 0 ,X 0 , Λ, ψ, ρ, µ, p P , {W t }). If the original SDCPN is executed on a probability space which is endowed with sequences of standard Brownian motions (one sequence for each place), then the resulting HSDE solution process and the SDCPN process are probabilistically equivalent. Proof. See Appendix B. PetriNets:Applications240 Theorems 5.1 and 5.2 imply that SDCPN and GSHS are bisimilar. Theorems 5.3 and 5.4 imply that SDCPN and HSDE are bisimilar. The implications are that GSHS and HSDE are also bisimilar and that the strengths of all three formalisms come within reach of each other. The use of this bisimilarity is illustrated by an example in the following two sections. 6. SDCPN example To illus tr ate the advantages of SDCPN when modelling a complex sy stem, consid er a sim- plified model of the evolution of an aircraft in one sector of airspace. The deviation of this aircraft from i ts intended path is affected by its engine system and its navigation system. Each of these aircraft systems can be in either Working ( functioning properl y) or Not working (op- erating in some failure mode). Both systems switch between these modes independently and with exponentially distributed sojourn times, with finite rates δ 3 (engine repaired), δ 4 (engine fails), δ 5 (navigation repaired) and δ 6 (navigation fails), respectively. If both sys tems are Work- ing, the aircraft evolves in Nominal mode and the position Y t and velocity S t of the aircraft are determined by dX t = V 1 (X t )dt + W 1 dW t , where X t = (Y t , S t )  . If either one, or both, of the systems is Not working, the aircraft evolves in Non-nominal mode and the position and veloc- ity o f the aircraft are determined by dX t = V 2 (X t )dt + W 2 dW t . The factors W 1 and W 2 are determined by wind fluctuations. Initially, the aircraft has position Y 0 and velocity S 0 , while both its systems are Working. The evaluation of this process may be stopped when the aircraft has Landed, i.e. its vertical position and velocity are equal to zero. P 2 I T 1a I T 1b I T 2 • P 1 G T 7 G T 8 P 7 P 3 D T 4 D T 3 • P 4 P 5 D T 6 D T 5 • P 6 Fig. 4. SDCPN graph for the aircraft evolution example Fig. 4 shows the SDCPN graph for this example, where, • P 1 denotes aircraft evolution Nominal, i.e. evolution is according to V 1 and W 1 . • P 2 denotes aircraft evolution Non-nominal, i.e. evolution is according to V 2 and W 2 . • P 3 and P 4 denote engine system Not working and Working, respectively. • P 5 and P 6 denote navigation system Not working and Working, respectively. • P 7 denotes the aircraft has landed. • T 1a and T 1b denote a transition of aircraft evolution from Nominal to Non-nominal, due to engine system or navigation system Not working, respectively. • T 2 denotes a transition of aircraft evolution from Non-nominal to Nominal, due to engine system and navigation system both Working again. • T 3 through T 6 denote transitions between Working and Not working of the engine and navigation systems. • T 7 and T 8 denote transitions of the aircraft landing. The graph in Fig. 4 completely defines SDCPN elements P, T , A and N , where T G = {T 7 , T 8 }, T D = {T 3 , T 4 , T 5 , T 6 } and T I = {T 1a , T 1b , T 2 }. The other SDCPN elements are specified bel ow: S: Two colour types are defined; S = {R 0 , R 6 }. C: C(P 1 ) = C(P 2 ) = C(P 7 ) = R 6 , i.e. tokens in P 1 , P 2 and P 7 have colours in R 6 ; the colour components model the 3-dimensional position and 3-dimensional velocity of the aircraft. C(P 3 ) = C(P 4 ) = C(P 5 ) = C(P 6 ) = R 0  ∅. I: Place P 1 initially has a token with colour X 0 = (Y 0 , S 0 )  , with Y 0 ∈ R 2 × (0, ∞) and S 0 ∈ R 3 \ Col{0, 0, 0}. Places P 4 and P 6 initially each have a token without colour. V, W: The token col our functions for pl aces P 1 , P 2 and P 7 are determined by (V 1 , W 1 ), (V 2 , W 2 ), and (V 7 , W 7 ), respectively, where (V 7 , W 7 ) = (0, 0). For places P 3 – P 6 there is no token colour function. G: Transitions T 7 and T 8 have a guard defined by G T 7 = G T 8 = R 2 × (0, ∞) × R 2 × (0, ∞). D: The jump rates for transitions T 3 , T 4 , T 5 and T 6 are D T 3 (·) = δ 3 , D T 4 (·) = δ 4 , D T 5 (·) = δ 5 and D T 6 (·) = δ 6 . F: Each transition has a unique output place, to which it fires a token with a colour (if applicable) equal to the colour of the token removed. 7. Mapping of SDCPN example to HSDE and GSHS Next we transform the SDCPN of Section 6 into an HSDE. The first step is to construct the state space M for the HSDE discrete process {θ t }. This is done by identifying the SDCPN reachability graph. Nodes in the reachability graph provide the number of tokens in each of the SDCPN places. Arrows connect these nodes as they represent transitions firing. The SDCPN of Fig. 4 has seven places hence the reachability graph for this example has elements that are vectors of length 7. These nodes, excluding the nodes that enable immediate transitions, form the HSDE discrete state space. The reachability graph is shown in Fig. 5, with nodes that fo rm the HSDE discrete state space in Bold typeface, i.e. M = {V 1 , . . . , V 8 }, with V 1 = (1, 0, 0, 1, 0, 1, 0), V 2 = (0, 1, 1, 0, 0, 1, 0), V 3 = ( 0, 1, 1, 0, 1, 0, 0) , V 4 = ( 0, 1, 0, 1, 1, 0, 0) , V 5 = ( 0, 0, 0, 1, 0, 1, 1) , V 6 = ( 0, 0, 1, 0, 0, 1, 1) , V 7 = (0, 0, 1, 0, 1, 0, 1), V 8 = (0, 0, 0, 1, 1, 0, 1). Since initially there is a token in places P 1 , P 4 and P 6 , the HSDE initial mode eq uals θ 0 = V 1 = (1, 0, 0, 1, 0, 1, 0) . The HSDE initial continuous state value equals the vector containing the initial colours of all initial tokens. Since the initial colour of the token in Place P 1 equals X 0 , and the tokens in places P 4 and P 6 have no colour, the HSDE initial continuous state value eq uals Col {X 0 , ∅ , ∅} = X 0 . The HSDE drift coefficient f is given by f (θ, ·) = V 1 (·) for θ = V 1 , f (θ, ·) = V 2 (·) for θ ∈ {V 2 , V 3 , V 4 }, and f (θ, ·) = 0 oth- erwise. For the diffusion coefficient, g (θ, ·) = W 1 for θ = V 1 , g(θ, ·) = W 2 for θ ∈ {V 2 , V 3 , V 4 }, and g (θ, ·) = 0 otherwise. The hybrid state space is given by E = {{θ} × E θ ; θ ∈ M}, where for θ ∈ {V 1 , V 2 , V 3 , V 4 }: E θ = R 2 × (0, ∞) × R 2 × (0, ∞) and for θ ∈ {V 5 , V 6 , V 7 , V 8 }: E θ = R 6 . Always two de lay transitions are pre-enabled: either T 3 or T 4 and either T 5 or T 6 . This yields Λ (V 1 , ·) = Λ(V 5 , ·) = δ 4 + δ 6 , Λ(V 2 , ·) = Λ(V 6 , ·) = δ 3 + δ 6 , Λ(V 3 , ·) = Λ(V 7 , ·) = δ 3 + δ 5 , [...]... PNs Among them we mention Colored Petri Nets (Jensen & Kristensen, 2009), Predicate Transition Nets (Genrich, 1986; Genrich & Lautenbach, 1981), 254 Petri Nets: Applications Numerical Petri Nets (Billington et al., 1988), PROT Nets (Bruno & Marchetto, 1986), Evaluative Petri Nets (Hudák, 1980) and TER Nets (Ghezzi et al., 1991) 2 Reachability Problem in Petri Nets Petri Nets are very well known FDT, and... specified by TB nets that would have to be based on "the loop-spectral analysis" of TB nets (Hudák & Teliopoulos, 1998b) 4.1 Time Interval Semantics of TB Nets In this section we deal with the time interval semantics of TB nets We want to extend the solution of the reachability problem (RP) (for Petri Nets) to Time Environment Relationships Nets (TER), particularly to TB nets Basic property of TB nets is that... coloured Petri nets, in S Jacka (ed.), Stochastics: an international journal of probability and stochastic processes, Vol 77 , number 1, Taylor & Francis, pp 1–29 Everdij, M & Blom, H (2006) Hybrid Petri nets with diffusion that have into-mappings with generalised stochastic hybrid processes, in H Blom & J Lygeros (eds), Stochastic hybrid systems: theory and safety critical applications, Vol 3 37 of Lectures... initially each have a token without colour V , W : The token colour functions for places P1 , P2 and P7 are determined by (V1 , W1 ), (V2 , W2 ), and (V7 , W7 ), respectively, where (V7 , W7 ) = (0, 0) For places P3 – P6 there is no token colour function G : Transitions T7 and T8 have a guard defined by G T7 = G T8 = R 2 × (0, ∞) × R 2 × (0, ∞) D : The jump rates for transitions T3 , T4 , T5 and T6 are... , V2 , V3 , V4 }: Eθ = R 2 × (0, ∞ ) × R 2 × (0, ∞ ) and for θ ∈ {V5 , V6 , V7 , V8 }: Eθ = R 6 Always two delay transitions are pre-enabled: either T3 or T4 and either T5 or T6 This yields Λ(V1 , ·) = Λ(V5 , ·) = δ4 + δ6 , Λ(V2 , ·) = Λ(V6 , ·) = δ3 + δ6 , Λ(V3 , ·) = Λ(V7 , ·) = δ3 + δ5 , 242 Petri Nets: Applications T7 V1 =(1,0,0,1,0,1,0) T4 T2 (0,0,0,1,0,1,1)= V5 T6 T5 T 6 (1,0,1,0,0,1,0) (0,1,0,1,0,1,0)... respectively), has a quite different meaning than a double clicking within the time interval duration an half of second 3.1 Environment Relationship Nets Environment-Relationship Nets (ER nets) (Ghezzi et al., 1991) represent a very strong extension to ordinary Petri Nets, that provides means to incorporate the notion of the time into the concept We start with some notions ER net is a net which can be characterized... can be stated to hold in TER nets Axiom 3’: All firing sequences are strong TER net that satisfies Axioms 1,2 and 3’ is called the strong TER net (STER net) Finally, when we assume that the only type of tokens is chronos then we obtain Time Basic (TB) nets In the class of TB nets we can distinguish two significant classes: 1 weak-time semantics WTS TB nets are those TB nets that satisfy Axiom 1,2,... techniques are used 262 Petri Nets: Applications Fig 3 TER Nets We have started the development of a new methodology of the reachability analysis, based on the new algorithm to solve the reachability problem by the first author (Hudák, 1981; Hudák, 1999), and the de/compositional approach to the problem (Hudák, 1994) Because of the specification of time critical systems by TB nets and that the task... Stochastic hybrid systems: theory and safety critical applications, Vol 3 37 of Lectures notes in control and information sciences (LNCIS), Springer, pp 325–350 Frehse, G (2008) PHAVer: algorithmic verification of hybrid systems past HyTech, International journal on software tools for technology transfer 10(3): 263– 279 Giua, A (1999) Bibliography on hybrid Petri nets http://bode.diee.unica.it/∼hpn/ Hu, J., Lygeros,... ·) G : For all θ ∈ M, G T G = Eθ θ Hybrid state Petri nets which have the analysis power of stochastic hybrid systems and the formal verification power of automata 2 47 D : For all θ ∈ M, D T D (·) = Λ(θ, ·) Since we assumed that Λ is bounded, e.g Λ(θ, ·) ≤ CΛ , θ we find that D T D (·) is bounded as well, and its upperbound is Cδ = CΛ θ F : Define for particular transition T, eϑ as the vector of length . P 2 and P 7 are determined by (V 1 , W 1 ), (V 2 , W 2 ), and (V 7 , W 7 ), respectively, where (V 7 , W 7 ) = (0, 0). For places P 3 – P 6 there is no token colour function. G: Transitions T 7 and. P 2 and P 7 are determined by (V 1 , W 1 ), (V 2 , W 2 ), and (V 7 , W 7 ), respectively, where (V 7 , W 7 ) = (0, 0). For places P 3 – P 6 there is no token colour function. G: Transitions T 7 and. ·) = Λ(V 7 , ·) = δ 3 + δ 5 , Petri Nets: Applications2 42 V 4 =(0,1,1,0,1, 0,0) (0,0,1,0,1,0,1)= V 8 V 2 =(0,1,1,0,0, 1,0) (0,1,0,1,1,0,0)= V 3 V 6 =(0,0,0,1,1, 0,1) (0,0,1,0,0,1,1)= V 7 (1,0,1,0,0,1,0)